FEAR Demo - Keystroke Logger and changes to explorer.exe detected?-pcgames

This was annoying - but the very latest version (6.0) of ZoneAlarms Suite is rather good at detecting programs altering other programs, like:

"ZA has detected FearSPDemo.exe has a keystroke logger and is trying to alter explorer.exe" this is Dangerous Activity rated as Suspicious = do you want to Allow or Deny?

Allowing Fear to alter explorer also alters ZA so the virus scanner and spybot tab is removed! Dis a system restore and re-checked this twice - same situatios each time. Game plays fine if you disable it from changing explorer and also if you disable web access! And ZA is fine if you don't let FEAR hack explorer,

I also tried deleting the Firewall program entry definition for fear and re-ran the demo. This time there was no alert for it trying to alter explorer.exe - meaning perhaps it only does this on its very first run (or perhaps ZA has limitations - though to date I tend to trust it based on its performance for me).

No one else in Audtralia seems to have witness this behaviour - anyone else catch this?
=============
I noticed that when you quit the demo, your internet browser is activated with a link to a FEAR promotion. Perhaps it's related to this? I'm using ZA 4.5 at the moment and didn't receive any warning about a key logger, although I don't believe this version has that functionality.
=============
FEAR also tries to send UDP packets to a server when you start it. Haven't detected it trying to modify explorer, though.
=============
Probably a false positive cause by the demo automatically starting your browser after you exit the demo. For me it didn't even start Explorer, as Firefox is set as my default browser. The initial packets are probably either anonymous statistics gathering of the number of people playing the demo, or part of the online gaming code that's still in there, maybe checking in with a master server.
=============
I kinda agree - although on clean instals letting it alter explorer.exe (not iexplorer) reduced the resultant functionality of Zone Alarms, in that the virus scanner and sypbot tabs simply disappeared after a re-boot. Why would this happen unless it was a targeted behaviour?
=============
Well, Kerio firewall doesn't let the demo run. It gives a "Intrusion attempt blocked" warning... something about an invalid instruction.
=============
Ouch, I'm starting to feel glad I didn't download this demo. Sounds like some rather nasty spyware in there to me.
=============
I have a hard time believing the demo of a major game includes spyware or has spyware-like functionality. It simply doesn't make sense, and if true, would simply create a massive amount of badwill from the people this game is targetted to.

And for what reason? What would the game makers have to gain by this? Nothing really. It would just be stupid of them.
=============
Oh, I'm sure the developers wouldn't have anything to do with it. But I wouldn't put anything past publishers.
=============
My feeling at this time is that it's probably system information and performance statistics gathering (like what Valve does). If someone has a copy of the EULA handy from the install, you might want to read through and see if it mentions anything about "by accepting this license you agree to allow the program to upload anonymous data to Monolith blah blah blah" or some such.
=============
A few days after I installed the FEAR demo and played it several times the following entry appeared in my HijackThis v1.99 scan:

O23 - Service: ServiÃ§o de indexaÃ§Ã£o (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

I was using DAP 7 when win xp asked me to insert the WinXp install Cd-rom in order to put that file.

I've been using DAP for several months and never saw this happen.
The only thing I suspect is the FEAR demo, because it's the last thing I installed on my computer.
=============
Guys, do this: go to your windows account directory you installed the FEAR demo on (usually c:\documents and folders\username\) and navigate to Application Data\SecuROM\UserData.

See if you have a couple of hidden files with invalid characters in the name that resist deletion with the exact date of the installation of the FEAR demo.
=============
Guys, do this: go to your windows account directory you installed the FEAR demo on (usually c:\documents and folders\username\) and navigate to Application Data\SecuROM\UserData.

See if you have a couple of hidden files with invalid characters in the name that resist deletion with the exact date of the installation of the FEAR demo.

"This security system is connected with a MS Windows Service called "SecuROM User Access Service".
This module is started automatically when launching a protected application if the user is logged in with Windows administrator rights.
In case users do not have administrator rights we recommend to keep it running.

See www.securom.com for further information"

Bleh, DRM crap. It's only going to get worse, too. I can't wait to see the crap Avalon supports.
=============
"This security system is connected with a MS Windows Service called "SecuROM User Access Service".

Yep, except the funny thing is that I don't have any such service running (or even present in the service's list for that matter) and I don't have any "UAServce7.exe" file mentioned on Securom's website.

Leaving files windows can't delete (not even in safe mode) after uninstalling a DEMO is pissing me off to no end. I can't even begin to imagine what they do in the full game.

And obviously, googling for "remove securom files" shows me all kinds of dodgy websites but no clear answer.
=============
pir8s are to blame.
=============
pir8s are to blame.
Spyware has nothing to do with pirating software.

The increased challenge of removing spyware is directly corellated with more people using simple methods to remove it.
=============
SecuROM isn't spyware (from the game industry's perspective). It's not SecuROM that is trying to establish a connection over the internet, either--it's GameSpy. They must have just disabled the multiplayer menu, but still have the GameSpy client connect to their servers at startup. It is a 1.4 GB demo after all, have to figure they didn't remove too much.
=============
Then why would it resist deletion? I know SecuROM didn't used to be Spyware, but perhaps that's changed.
=============
-----------------------------------------------------------------------------------------------------------------------------
PLEASE DO NOT DELETE THE FILES IN THIS FOLDER BECAUSE YOU MIGHT LOOSE ESSENTIAL DIGITAL RIGHTS.
READ BELOW
-----------------------------------------------------------------------------------------------------------------------------

Technical Information for the PC Administrator:

The files securom_v7_01.dat and securom_v7_01.bak have been created during the installation of a SecuROM protected application.
It guarantees more user convenience because the original disc does not have to be in the local drive at all times anymore.
It is necessary for copy protected CDs, demo versions and protected software downloaded from the Internet.
The file contains your licences for all products which are SecuROM protected, therefore it will not be deleted automatically.

-----------------------------------------------------------------------------------------------------------------------------
PLEASE DO NOT DELETE THE FILE BECAUSE YOU MIGHT LOOSE ESSENTIAL DIGITAL RIGHTS.
-----------------------------------------------------------------------------------------------------------------------------

The information contained in securom_v7_01.dat will not be transferred to any other computer without your permission.

This security system is connected with a MS Windows Service called "SecuROM User Access Service".
This module is started automatically when launching a protected application if the user is logged in with Windows administrator rights.
In case users do not have administrator rights we recommend to keep it running.

See www.securom.com for further information

From the read me in the Folder C:\Documents and Settings\USERNAME\Application Data\SecuROM\UserData

Doesn't seem like a problem to me.
=============
Doesn't seem like a problem to me.

Can you delete the two hidden files with invalid file names?
=============
SecuROM isn't spyware (from the game industry's perspective). It's not SecuROM that is trying to establish a connection over the internet, either--it's GameSpy. They must have just disabled the multiplayer menu, but still have the GameSpy client connect to their servers at startup. It is a 1.4 GB demo after all, have to figure they didn't remove too much.

The FEAR demo is only 650MB. You might be getting it confused with the insanely massive Dungeon Siege 2 demo.
=============
Can you delete the two hidden files with invalid file names?

No I can't do it from within windows but maybe I can do it from my PE bootdisk.
=============
Really simple solution stop buying the games that have this @@#$ in them. I would say active prove out pointless it is to include DRM but I don't condone piracy.
=============
A few days after I installed the FEAR demo and played it several times the following entry appeared in my HijackThis v1.99 scan:

I was using DAP 7 when win xp asked me to insert the WinXp install Cd-rom in order to put that file.

I've been using DAP for several months and never saw this happen.
The only thing I suspect is the FEAR demo, because it's the last thing I installed on my computer.

Are you running Grisofts AVG anti-virus because one of the updates in the last week suddenly decided that "cisc.exe" was infact a trojan and moved it to the virus vault during the scheduled scan .

I woke up and also found window's system file protection also asking for my windows cd to replace the file so it sounds like thats more your problem than anything else.
=============
Can you delete the two hidden files with invalid file names?

The only way I could do this was to open a command window, go to the application/securom directory and type:

del /s /f /a:hsr userdata\*.*

Variations of it should work to wipe from the parent directory, such as

del /s /f /a:hsr securom

Bear in mind that if you have any other securerom products installed, this will stop them working. Also be careful when you do this. If you are in the wrong directory or choose the wrong target, it will delete everything. It's a recursive, forced delete that also deletes system/hidden/readonly files. There's no going back.

I did actually mail Securom support asking for a fix before I figured this out on my own, so let's see if/how they respond, and how long it takes.
=============
If you want to get rid of locked files, start a command promt (cmd), and type:

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager" /f /v "PendingFileRenameOperations" /t "REG_MULTI_SZ" /s "*" /d \??\C:\Directory\FileName.Ext*\??\C:\Directory\Ren amedFile.Ext"

where C:\Directory\FileName.Ext is the name of the file you want to get rid of with the next reboot, and C:\Directory\RenamedFile.Ext where it will go to. This should work on any W2000/XP. Depending on your version of Windows and service pack, you might be able to do this with regedit as well, but that doesn't work every time.

Edit: the board inserts a space in "Control" and "RenamedFile", even with the code tags...
=============
It not a locked file once you've killed the Securom service (in the tradtional sense of something still using it). The files (and the couple of directories they are in) are marked readonly, system and hidden, and made up of garbage characters that windows won't accept as a vailid filename, hence the jiggery-pokery trying to delete them.

I doubt the above will work, because you won't be able to enter, or cut and paste the invalid filename into the path.
=============
Good old DOS, or this program (http://www.jrtwine.com/Products/DelFXPFiles/) should both be able to get rid of those files.
=============
I have tried getting rid of those files with a couple of different boot cd's and have had no luck.

I'll keep trying though.
=============
I have tried getting rid of those files with a couple of different boot cd's and have had no luck.

I'll keep trying though.

I told you how to do it on the previous page of this thread. :roll: You want me to come round there and do it for you too? YOU WANT THE MOON ON A STICK, YOU DO!! <shakes fist at sky>
=============
YOU WANT THE MOON ON A STICK, YOU DO!! <shakes fist at sky>
Here's the moon on a stick: Total Commander (http://www.ghisler.com/)

:razz:
=============
Here's the moon on a stick: Total Commander (http://www.ghisler.com/)

:razz:

Does anyone really want to pay $34 just to delete a couple of files? Can you send the bill to Securom?
=============
Does anyone really want to pay $34 just to delete a couple of files?
Probably not, I guess, but Total Commander is the best file manager ever. I work with TONS of files and it never, ever freezed/bugged on me, unlike the crap butter covered mess that comes installed with the OS.

It's a shareware, BTW, you can install it just to delete the file.

Although, I agree that Securom shouldn't be allowed to install files that can not be easily deleted by the end user.
=============
Here's the moon on a stick: Total Commander (http://www.ghisler.com/)

:razz:

What I really hate about all those NC clones is the user interface, which just utterly sucks. I had to use TC for a while because my explorer was infected with something nasty and I couldn't do a reinstall at given moment - that was the worst "user experience" I ever had, bar none.

But it worked stable and all that at least...
=============
And to get rid of the files, you could use Knoppix (boots from CD) or make a batch file which will delete the files on startup.
=============
The FEAR demo is only 650MB. You might be getting it confused with the insanely massive Dungeon Siege 2 demo.

Gah, you're right, I'm all frazzled. Kind of suprised the F.E.A.R. demo isn't the same way, weren't the NOLF game maps and resources all stored in like one giant GB+ file? Hope they've change that.
=============
Are you running Grisofts AVG anti-virus because one of the updates in the last week suddenly decided that "cisc.exe" was infact a trojan and moved it to the virus vault during the scheduled scan .

I woke up and also found window's system file protection also asking for my windows cd to replace the file so it sounds like thats more your problem than anything else.

I am running AVG antivirus and that's exactly what happened to me. I woke up the next morning and windows was asking for the installation cd...

Did you restore c:\windows\system32\cisvc.exe?
=============
I told you how to do it on the previous page of this thread. :roll: You want me to come round there and do it for you too? YOU WANT THE MOON ON A STICK, YOU DO!! <shakes fist at sky>

Btw I had already tried your version before first posting here and it didn't work for me then. I tried it again pasting exactly what you suggest just in case I made an error before and still doesn't work. I get a "the system cannot find the file specified".

I'm going to try Windows Commander.

EDIT: Total Commander not working either. Gives me the same invalid filename cannot be found crap.
=============
Btw I had already tried your version before first posting here and it didn't work for me then. I tried it again pasting exactly what you suggest just in case I made an error before and still doesn't work. I get a "the system cannot find the file specified".

I'm going to try Windows Commander.

EDIT: Total Commander not working either. Gives me the same invalid filename cannot be found crap.

Ahh you can't be doing it right then. Try recursively unsetting the attributes on all the files and hidden/system parent directories using wildcards, maybe in safe mode. If that doesn't work, I can only shrug and say it worked for me.

You might have to mail the Securom support addresses and bitch to them for a fix.
=============
Ahh you can't be doing it right then. Try recursively unsetting the attributes on all the files and hidden/system parent directories using wildcards, maybe in safe mode. If that doesn't work, I can only shrug and say it worked for me.

I have already everything from \securom onwards de-hidden, de-readonly, de-archive, de-system and it worked except for those two hidden invalid files. I tried safe mode, I tried rescue, I tried everything short of booting off a USB-linux distro.

You might have to mail the Securom support addresses and bitch to them for a fix.

I mailed them yesterday. No reply yet. I'm probably going to wait until ATi releases Cat 5.8, format my OS partition and nuke the thing from orbit, only way to be sure. Not a happy camper right now.
=============
How about a program that deletes/renames everything in the current directory? If that would work I'll write one. Tomorrow.
=============
EDIT: Total Commander not working either. Gives me the same invalid filename cannot be found crap.
Strange, I deleted the Securom folder with it, this very morning.
Just give a look to the options of TC, and give it the authorization to delete sytem/hidden files.

Worse case, do as others said, try either a batch file at start-up or a Live linux CD (http://distrowatch.com/dwres.php?resource=cd). Should do the work.
=============
I have already everything from \securom onwards de-hidden, de-readonly, de-archive, de-system and it worked except for those two hidden invalid files. I tried safe mode, I tried rescue, I tried everything short of booting off a USB-linux distro.

Are you trying to delete the files, or are you trying to recursively delete the parent directory and all contents regardless of attributes? The latter should work.

I mailed them yesterday. No reply yet. I'm probably going to wait until ATi releases Cat 5.8, format my OS partition and nuke the thing from orbit, only way to be sure. Not a happy camper right now.

That's interesting. I got a mail back within about an hour, but it was a non-reply. They didn't tell me how to delete the files, just wanted to know what software I was using that was causing my "backup problem" (I baited them with a compatability issue). After I told them I had fixed it myself, I gave them a telling off for making software that deliberately locks invalid files into the filesystem.
=============
Strange, I deleted the Securom folder with it, this very morning.
Just give a look to the options of TC, and give it the authorization to delete sytem/hidden files.

Worse case, do as others said, try either a batch file at start-up or a Live linux CD (http://distrowatch.com/dwres.php?resource=cd). Should do the work.

Look at this please:

This is what I get when I try deleting the files/folders in TC:
http://img134.imageshack.us/img134/1425/del11po.th.jpg (http://img134.imageshack.us/my.php?image=del11po.jpg)

The two files don't even show up in TC's left pane and I can't change the file's attributes in windows either:
http://img134.imageshack.us/img134/2152/del24vw.th.jpg (http://img134.imageshack.us/my.php?image=del24vw.jpg)
=============
Look at this please
Ok, that's now officially strange. :???:
=============
Look at this please:

The two files don't even show up in TC's left pane and I can't change the file's attributes in windows either:

You can't change the attributes in windows because the OS can't lock the invalid filename. You have to do it from a command tool using recursive command to get the parent directory and everything under it.
=============
You can't change the attributes in windows because the OS can't lock the invalid filename. You have to do it from a command tool using recursive command to get the parent directory and everything under it.

I tried using attrib from a DOS box, no dice, I tried every single DOS command I could think of with several parameters. Same errors every time either the files are not there, the filenames are invalid, directory is not empty, files are system files, etc.

I will be trying a linux distro soon. This is starting to feel like a personal challenge.
=============
I tried using attrib from a DOS box, no dice, I tried every single DOS command I could think of with several parameters. Same errors every time either the files are not there, the filenames are invalid, directory is not empty, files are system files, etc.

Hmm, the only way I could do is as per my previous posting - by doing the whole thing at once in one command to cover all the error states you get if you try to do it separately. I wonder what's different about your system.
=============
Think you have to change permissions from the advanced tab in the security settings for the directory.

With windows you can lock out the administrator from read/write rights using those permissions, of course the admin can always change them ... so it's kinda silly you can't just delete the directory anyway in the first place, but that's windows.
=============
Did you restore c:\windows\system32\cisvc.exe?

Yes - just go into the virus vault in AVG and you should be able to restore it from there.
=============
I dont use IE, and I set my firewall to not allow it to go the their website after the demo.

That is VERY annoying, and I detest it.
=============
I told you how to do it on the previous page of this thread. :roll: You want me to come round there and do it for you too? YOU WANT THE MOON ON A STICK, YOU DO!! <shakes fist at sky>

Yes I read your post, but just like everyone else in this thread except for you it doesn't work <shakes fist back>

I'm going to give a linux distro a go.
=============
Yes I read your post, but just like everyone else in this thread except for you it doesn't work <shakes fist back>

I'm going to give a linux distro a go.
You might wanna try some of the programs on this list (http://ccollomb.free.fr/unlocker/#comparison). <shakes fist in sympathy>
=============
Yes I read your post, but just like everyone else in this thread except for you it doesn't work <shakes fist back>

I'm going to give a linux distro a go.

Hmm, I first did some unsuccessful messing about in safe mode, so maybe I changed some attribs as admin that later allowed me to delete the directories with my system running normally. Very weird, I wish I could remember exactly what "unsucessful" steps I took before being able to delete the files.

Ahh well, sorry I can't help you, all I can say is that I got it to work here.
=============
Well I tried Total Commander and it did the trick! Strange that some others havn't had luck with it.

Of course firing up the demo puts them back again. :roll:

At least I know how to get rid of them again.
=============
You might wanna try some of the programs on this list (http://ccollomb.free.fr/unlocker/#comparison). <shakes fist in sympathy>
Thanks I already had tried unlocker and a few others but to no avail.
=============
i just wonder why to hell this is included with demo?
=============
i just wonder why to hell this is included with demo?

It's the curse of VU games. Everything they touch puts a cloud on the sliver lining. Their "value add" is always the downside. That everything they are involved with just doesn't automatically turn to shit is a testament to the great devs VUG manage to screw with almost every title.

I always rag on EA for being a bunch of beancounters only interested in money, but VUG are just that and a bunch of baby-eating satan-worshipping incompetent sheep-fuckers with it.
=============
there are utilities to remove securom from game anyway.... thats why i am really wondering why in the world you would piss off your potential customers by putting that POS in demo... fucking free demo.... i mean, its not THAT hard to google for "securom, remove"

maybe they wanna demo just how much of trouble you will have with retail version?
=============
there are utilities to remove securom from game anyway.... thats why i am really wondering why in the world you would piss off your potential customers by putting that POS in demo... fucking free demo.... i mean, its not THAT hard to google for "securom, remove"

maybe they wanna demo just how much of trouble you will have with retail version?

A demo is just advertising for the full game, so it seems incredibly stupid to put securom on it at all and piss off your customers before you have their money - but that's the kind of quality service you get from the idiots at VUG.
=============
A demo is just advertising for the full game, so it seems incredibly stupid to put securom on it at all and piss off your customers before you have their money - but that's the kind of quality service you get from the idiots at VUG. well i will never buy this game. I get the retail secuity stuff but a demo? thats way out of hand, makes me want to make a bin and seed. So now i have to read EULAs befor i install a demo... was the EULA even on there site so you could read the fine print on whats installed?Loosers.
=============
They justify adding this stuff into demos because they believe if pirates have access to a drm free demo then they'll gain the necessary information to hack the final game.

Of course that's all a load of crap because pirates find ways around it despite this.
=============
They justify adding this stuff into demos because they believe if pirates have access to a drm free demo then they'll gain the necessary information to hack the final game.

Of course that's all a load of crap because pirates find ways around it anyways.

as i said, just google "securom, remove" and thats it...

adding this POS into demo will only make me DL game and laugh in their fucking idiotic faces while playing the game....

this is gone too far.... this is fucking DEMO....
=============
I found a small free util that solved my problem and managed to delete the two hidden invalid files: http://www.purgeie.com/delinv.htm

Thanks to everyone for their help.
=============
vBulletin® v3.6.10, Copyright ©2000-2008, Jelsoft Enterprises Ltd.